In our company we have around 100 workstations with Internet access, and the day-to-day situation is getting worse and worse from the perspective of using
Internet access for the purpose of doing private jobs, and wasting time on social sites.

Open hearted as I am I don't like blocking sites like Facebook, YouTube, and other similar sites but day by day my colleagues do not finish their tasks and any time I look at their monitors they are running Internet Explorer or Mozilla Firefox, chat and things like that.
On the other hand I would like to block YouTube when we have a very low Internet access speed.

Here are my questions:

Do other companies block social sites?

Do I need a dedicated device for that, like a hardware firewall or a super expensive router? Or can I do that with my existing FreeBSD 6.1 self-made router with two LAN cards and configured NAT to act like a router?

I was trying to do that using ipfw and routerfirewall but without success.
My code looks like:

This question exists because it has historical significance, but it is not considered a good, on-topic question for this site, so please do not use it as evidence that you can ask similar questions here. This question and its answers are frozen and cannot be changed. More info: help center.

12

So are you going to block serverfault.com as well? It is somewhat social in nature. :)
–
ZoredacheJun 3 '09 at 17:36

23 Answers
23

Yes, but that doesn't mean it is a good idea. The book Predictably Irrational has an interesting discussion and links to several studies that basically suggests that if you block minor personal usage, it can actually cost you in productivity. If people think their work place is friendly and home-like, they are more likely to work from home beyond their 40 hours.

If one individual is causing problems it may be better to work with the individual, then to use a technology solution to simply kill break things. Technology is not a replacement for a manager actually doing their job.

Most filters are easily bypassed, you really should try and avoid getting into an arms race with your coworkers. At some point you will just make your firewall so hostile they won't be able to get actual work done, and you still will probably have not blocked all the possible ways around the firewall.

Do I need dedicated device for that
like hardware firewall, super
expensive router Or I can do that whit
my existing FreeBSD 6.1 self made
router with two lan cards and
configured nat to act like router.

You can install Squid+Squidguard and force all traffic through the proxy. You can setup ACLs to block sites you don't like.

I suggest you setup squid as a proxy, with no ACLs to block anything, and just watch the logs. Force everyone through the proxy (with notice). Then setup something like SARG to build reports. If someone is really having a problem having a good report will give the employee's supervisor the evidence the need to start addressing the problem.

+1 Seems like most recent research supports this as well, and many even quite large companies are going all-out enabling and encouraging full private<->work-related social networking at work. As you said, the more involved one is, the more work will occupy one's mind - for good and bad (usually company-good, personal-life-bad ;) If someone is just wasting time surfing and not really getting things done, they'd probably waste time some other way if those sites are blocked... it's a people problem, not a technical problem imo
–
Oskar DuvebornMay 20 '10 at 12:27

1

+1, You'll notice people who are screwing around on the net too much; they wont have work done, they'll quickly minimize whatever's on their screen as you walk up, other time wasting issues. 5 minutes here and there is almost universally made up for as studies have found.
–
Chris S♦Aug 26 '10 at 3:17

1

I massively disapprove of blocking everybody's access to social sites. 1) marketing teams may need facebook, twitter, etc. 2) You should trust your staff not to take the piss. 2a) If you don't trust them, why were they hired. 3) Treat people like adults, and you'll get respect. 4) Using technology to solve social problems is never a good idea. 5) Try educating them on why what they're doing is bad/wrong.
–
Tom O'Connor♦Sep 17 '10 at 19:19

I know from personal experience if we unblock facebook it becomes the #1 bandwidth using website instantly, and around 80% of the users visit several times a day (several hundread users). It gets totally out of hand the second its unblocked. We've tried it several times. Same goes for youtube, imho.
–
SirexSep 17 '10 at 22:37

@Sirex, but did blocking it actually change the behavior of the employees, or did they just find something else to distract them from work. It is easy to think you have solved something by looking at a usage report, but from a perspective of real productivity you may not have made any difference, and you probably have annoyed people, meaning they are more likely to screw around in the future. Have you considered investigating alternate methods for motivation?
–
ZoredacheSep 17 '10 at 22:44

Except you need the technical solution to figure out who is doing it unless you catch them in act.
–
SpaceManSpiffJun 3 '09 at 16:34

12

If they're not performing, then it's obvious. If they are performing sufficiently, what does it matter if they're looking at websites; they're still getting the work done.
–
David PashleyJun 3 '09 at 16:42

2

I'm with David here. It isn't like there's something magical and awful about not getting your work done due to web use as opposed to not getting your work done due to spending all day doing the times crossword or reading the latest issue of Time magazine.
–
RobMJun 3 '09 at 16:56

define performance...If you are not working you are "wasting" the company's money. Most companies are ok with minor personal surf, myself included since I catch up on the news first thing usually, but what about someone doing it for 3 hours a day, but still getting "all" their work done?
–
SpaceManSpiffJun 3 '09 at 16:58

Totally agree with David. More and mroe I find myself answering emails at home, or even while at the lake with the family. I work quite often on MY time, and if I decide to take a break at work and browse social networking sites, it shouldn't matter so long as my job is getting done.
–
Jim MarchJun 3 '09 at 17:01

You know how the RIAA and MPAA publish these insane numbers on how much money piracy is costing them, based on the idiotic assumption that every unit of pirated content would be purchased if piracy were impossible?

You're doing the same thing by assuming that if 'wasting' time on social media were impossible, that time would be spent doing productive work. But unless these are data entry clerks you're talking about, we're probably talking about people with some kind of creative / knowledge-worker aspect to their job, which means that their productivity is a complex thing that doesn't look the same as that of a widget twister on an assembly line. Their use of social media may easily be a key component of their productivity, and attacking it may be attacking what enables them to make you money.

And that's even before we get into the morale impact of treating employees like prisoners on a chain gang.

We only block sites if browsing is interfering with productivity, and we accept the views of local management on the issue (even when we suspect they are exaggerating).

We block sites using a proxy server; usually SQUID, which should run fine on your firewall. We put a rule on the firewall blocking outbound port 80 (and sometimes 443) from all hosts except from servers and the proxy server. Then we use a group policy to configure the proxy in users' Internet Explorer.

We use open DNS to block but we don't attempt to monitor who attempted to go there. Personal use except for, social networking, chat and email is ok, those are the biggest time wastes that were found.
–
SpaceManSpiffJun 3 '09 at 16:38

The best way to block stuff is to have the manager walk around, spending more time near those that don't get things done. If people get work done, why do you care what sites they visit or how much time they spend? If they don't, write them up, and let them move on.

Packet shaping to throttle streaming did our network a great deal of good. Nobody's quite as concerned with the social networking sites now that 3 people pulling YouTube videos doesn't interfere with MSDN downloads.

Make sure to find out what the real pain points are before deciding on a solution.

I work at a college, and we block sites using Websense. Good (not perfect!) but expensive. OpenDNS is cheaper and also pretty good.

At the end of the day, though, my opinion is that there are very few technological solutions to behavioural problems. If your business doesn't want people visiting social networking sites then it needs to make it clear that this is against internet use policy otherwise it becomes a game for some people. By all means use tools to help enforce that policy if needed, but don't just block sites with no explanation or communication.

I also agree with the comment about whether or not the work is being done. If people are meeting their goals then you might well ask where the harm is in letting them loose on the Internet a little as well.

Websense is the devil! We use that here at work, and it is CONSTANTLY blocking useful sites along with other sites, that in my opinion, shouldn't be blocked in the first place.
–
Jim MarchJun 3 '09 at 18:28

@Jim - In your opinion the sites shouldn't be blocked, but what about the opinion of the person responsible for configuring it? A default install of Websense doesn't block anything except obvious stuff like pr0n, and if sites are mis-categorised by websense then your local websense admin can re-classify them. For example, working in a college, I've re-classified websense's educational category as business use instead of "producitivy loss" as per their default. Neither category was actually blocked, this was just to make reports clearer to our PHBs
–
RobMJun 3 '09 at 18:56

I agree that it's an HR / management policy, IT can only put less than perfect technology in place to implement. If there's a problem it should be evident in the performance of the offender.

However, when required to have proof for the purposes of disciplinary action then Internet usage logs are vital to the organization's case. For this the organization must employ a logging / reporting mechanism. Use of this should be communicated to employees and the usage policies should be clearly documented in the employee handbook.

We also perform usage monitorying use WebSense. Categories strictly forbidden by our policy are straight-up blocked. Others that are more loosely regulated are allowed by clicking through button that equates to the employee saying "I understand this filter and am proceeding because of business reasons". The tool you use is going to depend a lot on the type of policy you have and the size of your organization.

I also totally agree that restricting social sites is becoming more and more of an undesirable thing, especially for the upcoming generations.

We use a combination of OpenDNS but also run an IPCop box in front of the network.

This allows us to restrict sites such as MySpace, FaceBook, YouTube, etc EXCEPT for the lunch hour (12:00pm - 1:00pm).

This allows employees to check their myspace, facebook, etc during their lunch hour but keeps them "focused" on company time.

Periodically we look at the IPCop log files and determine if more sites need to be blocked.

If you implement an IPCop solution you'll quickly discover that after about a week all of the goofing off "magically" stops. You'll also find that you only have to block a handfull of sites to increase employee productivity a huge amount.

Good luck

PS - Another great product we've used in the past is SecuredIM (http://www.securedim.com) which allows you to monitor inter-company chat and also take periodic screenshots of a user's desktop if you wish. (ie. Take a snapshot of Joe's desktop every 10 minutes)

What a horrible thing... employees being paid $20/hr++ to play solitare for 2-4 hours a day. (No, I wish I was making this up.) In today's economy there are people lined up who want to WORK. Why should an employeer tolerate an employee who is merely there to collect a paycheck?
–
KPWINCJun 4 '09 at 18:03

As long as employees produce what they should or more, why does it matter? If someone can finish the same set of tasks in a tenth of the time it takes his co-worker - why should that person be punished by having to do 10 times the work because of some old-school "sit through your hours" mindset? (and probably only have 1-2 times the hourly salary at most if tools/processes even exist for it to be recognized) ^^
–
Oskar DuvebornMay 20 '10 at 12:44

Shouldn't an employee work as hard as they can (within reason) for the money they earn, regardless of the amount? I can tell you I personally know who the "workers vs slackers" are in my organization. The biggest problem with "slackers" is that they tend to bring down others until you have a least common denominator scenario. A more common thing I see is the worker who is paid $25/hr and is pissed because the front desk girl (who is paid $10/hr) is slacking off. This is an apples-oranges comparison but employees don't always see it. Pretty soon everyone wants to slack off equally.
–
KPWINCMay 24 '10 at 18:06

Most people wrongly assume the aim of web filtering is single-minded - it is not "just" about productivity - though I have seen numerous real world examples where productivity increases where output increases hugely when gentle controls are applied. I work for SmoothWall, a web filtering vendor - so whilst I might have a spot of bias, I am also well experienced!

Websense are even advertising "say yes" these days - and we (SmoothWall) agree. You need to be lenient. Using soft-block (just a reminder this is "non policy" or time bands are 2 ways of slackening things off.

In any case... as I was saying.. not just productivity - I have seen HR issues arising from misuse of social networking, from misuse of adult websites, and from lack of evidence when these happen.

Finally... worth pointing out that not everyone behaves like we expect them to - not everyone has "sysadmin/techie mindset" and will work harder because you give them facerbook.. many will take a mile given an inch - human nature i am afraid.

Short Answer: Yes there are companies out there blocking web access (social or other sites)

Long Answer:
From employer point of view: Time used at work, not doing any work, is wasted.
From employee point of view: My work is done, while waiting for more to come, I'll go (to that website) - Depends on the kind of work you do, there can be a gap from when your work is done to when you receive more work to do.

I am one of the employee that got my web access shot down when our company decided to trial WebSense. And the few things I learn from being locked down by websense:

I learn a lot on open proxy, tunneling, and information about circumventing web blocks in general

Big amount of unrest among the staff with the web access lock down - Doesn't affect higher-ups because their access is not restricted

Restricting people from accessing social websites should be part of the company business practice and part of the company work ethic, there should be little or no need for such enforcement through the use of the technology (Reference: David Pashley's comment above).

Enforcement on personal level will be beneficial for both the company and the staff member in the long run. The staff member will be more responsible with their work and their access to social sites, and the company will be beneficial from more responsible staff member.

Personal Monitoring
Cost: Practically $0. Manager/team leader to spend more time to manage and monitor their team.
Benefit: Staff have less time to visit social sites (to do more work), "might" improve their sense of responsibility in the long run.

Web Blocking Software
Cost: Depends on the software, might be free, might be $$$$. Also, time spent to fine-tuning the software.
Benefit: Save the company time from staff accessing social sites, save the company bandwidth in general.

The best tool for this is Internet Usage Policy with open statistics (but management will object to this, as, you know - they are also people).

Block all connections to the outside from user lan, no port exceptions!

Get some proxy server, for example - Squid and add filter like Squidguard

Now there are two ways: configure user to use proxy (takes some time) or enable transparent proxy (might be problems with SSL connections, but faster).

Look for the user, who is happy and uninstall TOR (http://tor.kamagurka.org/index.html.en) from his PC, remove usb, floppy, cdrom, etc, so he cannot use portable version (or better - fire him with a lot of publicity in the company)

Re: Your #4, Tor can run in a standalone method, launched from USB stick. I would suggest that if you were having a hard time finding Tor, watching for network activity on TCP 8118 and 9050, (both Tor ports.)
–
Greg MeehanJun 4 '09 at 14:38

Greg, I might be mistaken, but 8118 port is for privoxy and 9050 - for tor socks proxy that run on users pc and tor is able to use other ports for communication. So basically if I want to monitor 8118 and 9050 ports - I have to monitor users pc in general. Also these ports can be changed very easily.
–
SystemsninjaJun 5 '09 at 7:35

Look for the user who is happy, then make him unhappy? You're such an inspiration!
–
John GardeniersMay 20 '10 at 13:40

I heard a suggestion from Jason Calacanis in an episode of "This Week is Startups" to send an email to the employees so that they could know how much time they are wasting.

Most users are probably unaware just how much time they are spending on some of these sites. With this method, employees can self-police and also know that if it gets out of hand management would likely know as well.

The sponsor of the show that had the product that could do this was WebSpy.

You shouldn't care about TCP/IP going TO the host, as you have it. You should block incoming traffic, that is:

ipfw add 25 deny tcp from www.youtube.com to 192.168.1.0/24

OR just block the web traffic:

ipfw add 25 deny tcp from www.youtube.com 80 to 192.168.1.0/24

However, this won't block everything because the address www.youtube.com gets converted to the first IP address your DNS finds and your blocking gets munged by load balancing. You can block the whole network if you want to get nasty.

Its depend on the kind of company that you work for, in my case i work in the Education area and here we are using SmartFilter (expensive as hell). but my point is, depending of the area of work you can block all the social sites using OpenDNS (i used before we brought SmartFilter).

Are you sure that blocking social networking sites solves the problem?

The problem you state is that the situation is getting worse and worse...

Do you mean that your employees are using too much bandwidth on these social networking sites? Or do you mean that your employees are spending too much of their work time on certain web sites?

If it is the first, then it would be best to get traffic numbers. I'd be for the idea of public traffic numbers, but, regardless, of whether or not they are public then if the problem is too much network traffic collecting the numbers would let you make intelligent decisions.

If you have too much traffic then, I'd collect the number for a week or two, and then announce that site zzz.com, aaa.com, etc will be blocked as of a particular date.

If, on the other hand, the problem is that employees are spending too much of their work time the problem isn't a tech problem and should probably be dealt with other ways.

If you still want to deal with this technically then if you collect the traffic numbers you can block the top 10 sites that aren't deemed important to your business and see if things improve.